.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

HOWTO: Verify that custom error handling solutions do not expose padding oracle

Posted By:      Posted Date: September 20, 2010    Points: 0   Category :ASP.Net

I've done some digging and come up with what I think is useful information for you if you have a custom error handling solution in place instead of or as well as the usual ASP.NET <customErrors> stuff.

From comments on ScottGu's post it seem to be that the main suspect to be the actual padding oracle is WebResource.axd (possibly other axd's).

  • If you look in .NET Reflector at the IHttpHandler.ProcessRequest method in  System.Web.Handlers.AssemblyResourceLoader there's a call to Page.DecryptString early on.
  • This is the thing that will cause a HTTP 500 status to be returned if it fails, e.g. if the padding, etc in Request.QueryString["d"] is invalid
  • If the attacker manages to get the padding right, then it continues on, ultimately to call throw new HttpException(404...)

It's this differentiation: is the padding correct (404) or not (500) that is at the root of the exploit: the padding oracle.

If your error handling returns exactly the same response for both - it masks the oracle. To test if you're vulnerable externally, a simple test is to request both:

More Related Resource Links

Error Handling: Throwing Custom Exception Types from a Managed COM+ Server Application


Exception handling semantics in .NET are based on type, so you can create custom exceptions that have their own properties and methods. In .NET, exceptions are first-class citizens, and since they're the built-in error handling mechanism, all .NET-compliant languages must support exceptions. In addition, COM+ services are available to .NET code as Enterprise Services, so you can leverage exceptions in your Enterprise Services design.In this article the author describes custom exceptions, throwing exceptions across COM interop boundaries, and working with Enterprise Services.

Bob DeRemer

MSDN Magazine March 2004

What is the correct error handling in custom model binding?

Hello,I am working on a Custom Model Binder where a certain error can occur.When this happens it returns null and a error is added to the ModelState.The problem is that in some projects I am using Fluent Validation and the errors messages I am adding through FV are not taking effect.The message added by the Model Binder always prevails.Should the Model Binder add error messages or just bind the field and return null if some problem happened?What would be the correct implementation for this?Thanks,Miguel

Handling 404 page not found with Error page



      How do i handle 404 page not found?

Error while using exception handling block el 4.1


Hi Folks,


i am trying to use tyhe exception handling block of Enterprise library 4.1.


I just createda polisy and used IndexOutOfRangeException and added a replace handler and a logging handler to it.

I am using the NotifyRethrow PostHandlingAction to the exception.


During runtime I am getting an exception on the HandleException event, The exception is added below:



Object reference not set to an instance of an object.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

Line 42:             catch (Exception ex)
Line 43:             {
Line 44:                 bool reThrow = ExceptionPolicy.HandleException(ex, "ReplacePolicy");
Line 45:         

Custom Control Design-Time SiteMap Provider Error


Greetings - I was referred here by MSDN forums hope this is the right place -  

I have a custom control (:WebControl) that renders web.sitemap in a specific way. While it runs error free and produces the expected result, at Design-Time it complains

Error Creating Control - MyControl  The provider 'AspNetXmlSiteMapProvider' specified for the defaultProvider does not exist in the providers collection.

I have discovered that the error is cause by this line of code:

string div = string.Format("<div class='{0}' id='{1}'>{2}</div>", this.CssClass, this.ID.ToString(), EnumerateNodesRecursive(SiteMap.RootNode, level));

or more specifically, by the reference to SiteMap.RootNode - I am not clear what is missing thoough because I have configured the SiteMapProvider in web.config as this:

        <add name="AspNetXmlSiteMapProvider" 
             type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 

Custom Control Design view error



I have created a custom control from scratch and it works fine as in you can build the project that uses it and it works fine at runtime. Problem is when you go to design view the control shows an error in the place of where the control should be rendered.

Error: '<SomeValue>' Could not be set to '<SomeProperty>'

This shows up on all my custom set properties. These properties are created as basic as possible. I can give the properties values in Source view and run the app just fine. I can even add a Onclick event. If I don't set any custom properties the control will render fine in Design view. It's only when I set a value to a custom property.

Property Code Example:

public string Text
                string ret = "";
                object obj = ViewState["Text"];
                if (obj != null)
                    ret = obj.ToString();
                return ret;
                ViewState["Text"] = value;

I've even removed the Category and Description tags with no difference.

I don't know if what I said makes sens, but I hope it

Foundations: Error Handling In Workflows


Workflows often define long-running processes and an unhandled failure usually means termination. Avoid this scenario by handling exceptions properly.

Matt Milner

MSDN Magazine February 2009

.NET Exceptions: Make the Transition from Traditional Visual Basic Error Handling to the Object-Orie


If you're used to Visual Basic 6.0 and you're making the transition to Microsoft .NET, you will find that error handling is quite different from what you've used for years. Visual Basic .NET uses a more object-oriented solution to signaling and responding to unexpected problems while your program is running. This approach, called structured exception handling, has a number of advantages over the On Error statements provided in previous versions of Visual Basic. For instance, exceptions give you lots more information about exactly what went wrong in your app. To help you take advantage of this modern error handling paradigm, this article will show you how to raise and respond to exceptions, as well as how to create your own custom exception classes.

Jesse Liberty

MSDN Magazine November 2002

Office XP: Build a Custom DLL to Expose Your Objects and Services Through Smart Tag Technology


Smart Tags is a new technology delivered with Office XP that makes it easy for users to complete common tasks on familiar and relevant data regardless of the application they are using. Microsoft provides tools to make it easy to roll out simple Smart Tag applications using XML as a backbone. The Smart Tag SDK provides the detail needed to build a COM automation server for Smart Tags in Visual Basic or Visual C++. This article brings the reader through the SDK to outline the process of building a Smart Tag DLL using the tag recognizer and the action provider to create customized user experiences.

Paul Sanna

MSDN Magazine January 2002

Propagate Error Info: Use ATL and C++ to Implement Error-Handling COM Objects


Predefined error codes returned from HRESULT aren't always much help for debugging COM C++ code. The C++ macros provided with this article produce an XML file listing the error and its context to make debugging easier. This article begins with an overview of error handling in COM, then discusses the COM interfaces used in the macros. It explains how C++ exceptions are caught and converted to COM-compatible error information, how events are logged with the event viewer, and how context is reported in the description string of IErrorInfo. The macros handle logic errors and errors returned by an object or API.

Panos Kougiouris

MSDN Magazine October 2000

Custom tool error: Failed to generate code for the service reference 'CompanyService'. Please che


A little background because I feel I have an out of the ordinary architecture in place and don't know if this is contributing to the problem. 

We have an existing ASP.net application that is undergoing expansion.  The new functionality is all written in Silverlight 4.  As part of that expansion I gutted all the old Linq to SQL and put Entity Framework 4 into place.  To do this I created a standard .net Class Library and added my edmx files there.  Naturally, the business entities created by this cannot be used in Silverlight.  So I created a Silverlight Class Library and added all the business entities to that Silverlight Class Library as linked files.  I changed the name space to be the same.

So I have the following assembly / namespaces

Company.Project.Dal.csproj / Company.Project.Entities (.net 4 class library)

Company.Project.Entities.csproj / Company.Project.Entities (SL4 class library)

With this architecture I was able to share my business entities with my SL enabled web services, my asp.net projects, my silverlight projects.  Really it's a beautiful thing.

Once this was done I added "message" classes to Company.Project.Dal and again shared them with the other entites using linked files.  These messages are things like MyObjectRequest; they are class

WebResource.axd - Padding is invalid and cannot be removed error



I'm working on a site that is hosted externally, and the admin just sent me an email syaing they're getting this following error:


Event code: 3005 

Event message: An unhandled exception has occurred.

Event time: 11/17/2008 8:11:24 AM

Event time (UTC): 11/17/2008 8:11:24 AM

Event ID: 5d3b54c09a24463ca8fb03f22692e0bb

Event sequence: 731

Event occurrence: 3

Event detail code: 0

Application information:

Application domain: /LM/W3SVC/1776482879/ROOT-1-128713348984007217

Trust level: Full

Application Virtual Path: /

Application Path: D:\....

Machine name: ****

Process information:

Process ID: 2272

Process name: w3wp.exe

Account name: ****

Exception information:

Exception type: CryptographicException

Exception message: Padding is invalid and cannot be removed.

Request information:

Request URL: http://sitename/WebResource.axd?d=_O9D297IUE-qcgMP0yFe-w2&t=633468747532779057

Request path: /WebResource.axd

User host address:


Is authenticated: False

Authentication Type:

Thread ac

"An error occurred while retrieving data from Oracle Instance..."


I have succeffuly Imported the ADF and have also successfully created a Business Data Column. But when I try to query data , I get the following error

An error occurred while retrieving data from Oracle Instance. Administrator, see the server log for more information

And this is what I found in the Application Logs
A Metadata Exception was constructed in App Domain '/LM/W3SVC/81256521/ROOT-1-129217212004078822'. The full exception text is: LobSystem could not be found using criteria 'id=476'.

Rejected by custom validation error & ItemAdding



I believe this topic was discussed before in this forum, but I couldn't find it using the exact error I receive: "operation for file.doc was rejected by custom validation on the server"

When I try to add a new word document to my doc library, Word displays this error instead of my custom error message. I set properties.Cancel=true in ItemAdding of my EventHandler, because my validation fails. 

Is there any way to display user properties.ErrorMessage instead of this generic error message?


Returning custom error messages with an UserNamePasswordValidator

Ok, my head hurts from banging it against the wall. I'm new to WCF, I have searched for a solution for days, please help a desperate fellow programmer if you can :-( I have a WCF service hosted in IIS, I implemented a UserNamePasswordValidator, and it seems impossible to find a way to return a custom error message to the client when the user is not allowed in, this blows my mind. I have searched everywhere, many are asking the same question since 2006 and so far I haven't found an answer that works. If you are thinking of replying that it is not secure to return a custom error message to an unauthenticated client, please save yourself some time and don't do it. There are multiple enterprise business scenarios that this is required. Just in our organization an account could be locked out, in which case the user must be directed to the IT department to get it unlocked, it could be that the credentials are correct but the user hasn't paid their fees in which case they must be directed to the appropriate department, or it could even be that the user tried to access the service during a time of the day in which the service is not available. From searching around, I have tried doing the things below in the Validate method, however the client always receives a MessageSecurityException, which contains none of the custom messages that were originally thrown, neither in the object,

Cannot delete custom column in calendar list - 'unknown error'

I've created a column in a calendar list and now cannot delete it.  I've cleared all data and I still get the "Unknown Error" message when I try to delete. jan

WCF REST and Custom Error Handler

I have a RESTful WCF service, and I am trying to roll a custom behavior that extends the WebHttpBehavior, to provide my service a custom error handler (by implementing IErrorHandler of course). When I debug my service, the only breakpoint I hit is the getter on the BehaviorExtensionElement's BehaviorType property. None of the other methods are ever invoked; BehaviorExtensionElement.CreateBehavior(), WebHttpBehavior.AddServerErrorHandlers(), as well as nothing in my implementation of IErrorHandler. This leads me to believe that something isn't being registered with WCF. My service is defined in the app.config. When I step-through a call to one of my service's operations, I would expect that the process of throwing an exception would force my service to transfer the work to my error handler. But this is not the case... My service stops and throws me an unhandled exception, and nothing is sent to the client as a result. Am I doing something wrong? Am I not understanding this process? If someone could help me out it would be greatly appreciated!My code basically has implementations of IErrorHandler, and classes that derive WebHttpBehavior with an override on AddServerErrorHandlers(), and also BehaviorExtensionElement with an override for the property BehaviorType and method CreateBehavior(). Nothing fancy, but I have a feeling I may be missing something...This is my app.config:&
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend